Teams and User Access Control

Stackbit allows you to create different types of access for your team members through one of three methods:

Third-Party Sevice: Leveraging existing roles from content sources
Single-Sign On: Using SSO to integrate with existing organization systems (enterprise only)
Built-In: Setting your own roles, using pre-defined permissions

Basic Concepts#

Let's cover a few of the basic concepts to help contextualize how user management works.

Project Collaborators#

Collaborators are Stackbit users invited to contribute to a project. If the project belongs to an organization, the collaborators will also have to become members of the organization in order to be able to become project collaborators.

There are four pre-defined roles in Stackbit, with the following names and permissions:

Viewer: View (read) access only
Editor: Edit access, can't publish content changes
Publisher: Edit and publish content changes, but not code changes; can't invite collaborators unless also an admin in the organization
Developer: Edit and publish content and code; can also invite collaborators and manage project settings (integrations, publishing workflows setup, etc.)

Additionally, organization admins can also create custom roles.

Organization Members#

Organizations let you manage access to projects by teams. There are two built-in organization member roles:

Admin: Full control over the organization, including project access and creation, and members and teams management.
Member: Access to see projects they have been added to directly. Individual user permission may override this setting.

The same organization member can have different roles in different teams and projects, but always the same role in the organization (admin or member).

Organization admins can also create custom roles.

Organization Teams#

Teams are organization members grouped into the same role.

Single-Sign On (SSO)#

SSO is only available in enterprise plans.

SSO is available for enterprise customers for their members to be able to use their company credentials to edit projects in Stackbit. It is only available as an enterprise feature.

Available functionality includes synchronization with the Identity Provider (IdP) of choice via SSO for the following:

User addition/deletion
Member role sync via IdP groups
Default project role sync via IdP groups

Inviting Members to Organization#

Only organization admin users can invite new new members to the organization.

To invite a new member to the organization in Stackbit, go to Manage Organization > All Members > Invite Member.

Users will get an invitation by email. They will appear as pending until they accept the invitation. If using SSO, see below for inviting and managing organization members.

Organization Member Attributes#

Organization members come with two main attributes:

Member Role: The role in the organization. If using SSO, this can be synced with roles in the Identity Provider.
Default Project Role: (optional) This is helpful for organization with cross-functional teams. If using SSO, this can be synced with roles in the Identity Provider.

If members who have a pending invitation are added to teams or projects, they will immediately have access to those teams and projects upon accepting the invitation.

Managing SSO Users#

If using SSO, the organization gets defined in the Identity Provider (IdP). Stackbit is kept in sync and updates additions, deletions, and data updates in the IdP. SSO users can not be added or removed via Stackbit.

Stackbit also updates user roles (role in the organization and default project role) according to groups in the IdP or the user attributes in the IdP. SSO user roles can't be edited from Stackbit.

Configuring SSO for Stackbit#

To setup to work with Stackbit, go to your IdP and find the place to add a custom attribute for groups and/or for users (depending on how you're planning to use SSO with Stackbit).

Two custom attributes need to be created following the details in the tables below.

Organization Role

Data Type

string

Display Name

"Stackbit Organization Role"

Variable Name

stackbit_organization_role (must match exactly)

Define enumerated list of values

true (check the box)

Attribute Members

Must match the built-in roles in Stackbit and any custom roles you may want to make available:

Admin: admin
Member: member

Attribute Required

true (check the box)

Default Project Role

Data Type

string

Display Name

"Stackbit Default Project Role"

Variable Name

stackbit_default_project_role (must match exactly)

Define enumerated list of values

true (check the box)

Attribute Members

Must match the built-in roles in Stackbit and any custom roles you may want to make available:

Viewer: viewer
Editor: editor
Publisher: publisher
Developer: developer

Attribute Required

true (check the box)

How SSO Sync Works#

When a user logs in Stackbit for the first time, Stackbit will get their organization role and their default project role from the group they're assigned to in the IdP.

This value can't be edited from Stackbit. When changed in the IdP, it is synced and will be updated in Stackbit. Default project roles can be found under Manage organization > Members and roles > All members.

Managing Teams#

Teams provide the ability to grant access to future organization members.

For example, consider a Design team with three members and developer access to Project 1. A new member is added to the Design team, and when they accept the invitation, they immediately get access to Project 1.

Handling SSO Groups#

If using SSO, there is no way to automatically sync SSO groups with Stackbit teams. However, this feature is planned in our roadmap.

Creating a New Team#

Go to Manage Organization > New Team and give the team a name.

Then add members to the team.

Reserved Teams#

There is a built-in team called Everyone. New organization members are automatically added to the Everyone team, unless a project that existed outside an organization is moved inside the organization. In this case, previous collaborators are provided access to that one particular project in the organization, but they are not added to the Everyone team.

Therefore, note that the Everyone team is different than All Members, since All Members contains absolutely all users within the organization, and it cannot be used as a team.

Project Invitations#

Inviting users to projects has various implications, depending on where the project is inside an organization or not.

Projects Inside Organizations#

To invite an existing organization member to collaborate in a project, open the project and click on Share. Choose the user, give them a role, and click the Grant Access button.

After granting access to a user, they will see the project in their dashboard.

Inviting Non-Members#

Only organization admins can add non-members as project collaborators. They will be able to invite new users via the dropdown menu in the same collaborators modal.

Once the user accepts the invitation to the project, they will also be added as a member in the organization.

Inviting a Team#

Admins also have the ability to add a team to a project. All of that team's current and future members will inherit access to that project.

Choose a role for the whole team when giving that team access to the project.

Or choose Default user roles for cross-functional teams.

For cross-functional teams:

If the organization role is not provided, Stackbit will default to member (lowest permission level).
If the default project role is not provided, Stackbit will default to viewer (lowest permission level).

Projects in SSO Organizations#

Since the organization is defined in the Identity Provider (IdP), the collaborators dropdown will only show users of the organization who have logged in Stackbit at least once as part of the org in Stackbit.

However, everyone added to the organization in the IdP will be able to use SSO to log into Stackbit with their company credentials.

Users who have not logged into Stackbit at least once, can still be added to teams and projects, but they will appear as pending until they log into Stackbit for the first time.

Projects Outside Organizations#

If a project is not part of an organization, collaborators can be invited directly using the collaboration menu to invite users by email.

The user(s) will receive an email invitation that needs to be accepted in order to be able to view, edit, and publish the project.

Custom Roles#

Custom roles are only available in enterprise plans.

Organization administrators can create and manage custom roles for their organization members and project collaborators.

Organization Member Custom Roles#

Organization roles are managed within organization settings.

Create custom roles for organization members by clicking "Add Custom" in the "Organization role" section.

Give the new role a name and choose the appropriate permissions and projects.

After saving, the new role will be available in the dropdown for members.

Project Collaborator Custom Roles#

Project collaborator roles are managed within organization settings.

Create custom roles for project collaborates by clicking "Add Custom" in the "Organization collaborator role" section.

Give the new role a name and choose the appropriate permissions and projects.

Go into the settings in a project within the organization to verify the new role is available.

Deleting Custom Roles#

Custom roles can only be deleted when they are not in use. Built-in roles can't be deleted or modified.

Hover over the role to show the delete icon.